Versions Compared

Old Version 2

changes.mady.by.user Lynzie Adams

Saved on

compared with

New Version 3

changes.mady.by.user Lynzie Adams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Richard Wilsher, Mark King, Jimmy Jung, Maria Vachino
Other IAWG Members: Hiroyuki Sato, Angela Rey, Matt King
Staff: Lynzie Adams, Kay Chopard

...

Monthly newsletter was distributed today. If you did not receive it and want to be added to the mailing list, please reach out to Lynzie.

Discussion:

DIACC

Still unclear on if IAWG should be the one who comments on this or if other work groups would be more inclined. Pulled up the Conformance Profile Draft Recommendation to briefly review and discuss.

Ken’s fear is that different assessors would come up with different results. These criteria appear to have more likelihood for a ‘maybe’ answer, opposed to ‘yes’ or ‘no’. Where Kantara criteria lend themselves to ‘yes’/’no’ responses. It was proposed to follow up with the other groups and look further at the documents before fully committing.

As a note, previously, it was standard to have one primary author. The initial drafting would take about 3 hours  

The 45-day review period for the CO_SAC was launched and closes June 6th. It was referenced in the newsletter for further publicity. 

We have a new assessor application in the US as the program continues to ramp up. Healthcare is starting to really push for Kantara assessments. Kay recently met with HHS about our assurance program. 

International Updates:

We hope to begin to accept applications next month for the UK pilot program. Waiting on final supplementary information coming this week. The pilot ends in the fall, so by the end of the year, we should know more about ongoing demand. Currently have one assessor for the pilot. There was discussion around DCMS’ desired certifications for the assessors. It is very extensive and will be difficult to find anyone that meets the full slate of requirements. The list of requirements was requested by a number of folks and will be circulated by Kay.

Ken inquired if the IAWG should undertake a review of the Kantara criteria and the UK criteria to see how much of an overlap there is – if Kantara wants to work with companies to provide both assessments in the future. Kay suggested that could work – or alternatively wait for Rev 4 and UK criteria that comes out at the end of the pilot which will reflect more updated criteria and possibly be more timely.  

Australia had huge turnover of staff. Introductory call with new folks scheduled in upcoming weeks.

No LC update.

Call for tweet worthy items. Kay added that Karyn hopes to do a series of member spotlights in the newsletters. If you are doing something that you are proud of and your work with Kantara has supported that – please reach out. It’s an opportunity to highlight your program and get publicity. Karyn will conduct an interview and write it up – you just need to volunteer!

Mark King requested an update on DIACC in the light of Ken’s retirement from the group. Kantara does have an open and active liaison agreement with DIACC. It was suggested that Mark King circulate his comments while we wait for the chair election next week. Once we’ve named a new chair, that person can decide whether or not s/he can take on the drafting of the DIACC comments. There is 15 days between the election and the deadline for comments. The group agreed to take this approach. Ken reported approximately 4-5 hours to create a draft and then 1-2 IAWG meetings dedicated to discussion. That’s the extent of time to spend on requests such as this. Maybe a bit more for members, but DIACC is not.

Lynzie will create a wiki page that has all of these files easily accessible.

Service Descriptors

With limited time, this will be the focus of the next meeting agenda.

Lynzie addressed the ARB’s concerns about technical approvals and feeling as though they should not be offered. Richard continues to believe it was a mistake to create the technical approvals – but the CO_SAC needs to be better aligned to support 63-3 criteria. It is currently written to support the OP_SAC.

Jimmy views it differently. Many companies he talks with already have FEDRAMP or a SOC that they are showing people. So, saying they have to pay for a CO_SAC too seems unnecessary. Hesitant to make it required.

Richard pointed out that there are Proofing and credential management criteria in the CO_SAC that are important and would not be included in a FEDRAMP/SOC assessment. 

Jimmy laid out the questions:

...

Next Meeting:

April 28 to continue the discussion on Service Descriptors. finalize for submission. At most, IAWG will have the May 12 and 19 meetings to finalize for the May 20 deadline if it is decided to proceed.

Discussion:

IAWG Chair Nomination and Election Process

IAWG is accepting nominations for chair through the start of the May 5 meeting. If there is only one nomination, a formal vote will be held during the meeting. If there are multiple nominees, a secret ballot will be sent to voting members to elect the new chair. So far Andrew Hughes has self-nominated for the chair role. Those interested should submit their nomination to the IAWG email list. 

Service Descriptors

Classes of approval and Service Descriptors are a Board decision, but they are looking to the IAWG for a recommendation. Two major discussion points are 1) whether to retain technical approvals and 2) must full service include both IAL and AAL. What do we want to advise the Board to do?

Richard suggested we may want to look at the classes of approval before focusing on the service descriptors. He is in favor of removing the technical class of approval. Jimmy disagrees with this suggestion. He believes many companies come in with other assessments (i.e. SOC, FEDRAMP, 27001, etc.) that fulfill the requirement. From a marketing POV, they are paying for something twice. Richard believes our CO_SAC includes identity assurance criteria that complements our Identity Assurance Framework that would not be included in these other assessments.

Martin asked if thought has been given to accepting other assessments. Richard says yes, but we might want to revise the CO_SAC with that understanding – that CSPs might come to Kantara with some of these other assessments already completed – and account for that in the CO_SAC. There are other criteria in the CO_SAC that all CSPs should be held accountable to. He suggests a full CO_SAC review for this purpose.

After continued discussion, it was agreed to invite CSPs at a later date to discuss this topic. Offer the invitation to ARB members as well. Ken said this strategy has worked in the past – inviting CSPs to a meeting to discuss a relevant topic and they have shown up. A survey was also suggested, rather than a meeting. The group will attempt both – hold the meeting and follow up with a survey for those who could not attend or want to provide additional input.

The group thanked Ken for his service over the years for both Kantara and the IAWG.

Next Meeting:

May 5 to elect an IAWG Chair